Description

With this little script, you will have a status on the user account “Password never expires” flag. This check is done on a specific OU. You can adapt the script to run it on a domain-wide.

The principe of the script is simple :

• first, list all the user account with the “Password never expires” flag
• after that, list all the user accounts
• and finally, compare both lists created above to get the status

Script

$ou = "OU=Users and Groups,DC=domain,DC=local"

#list all user account with the flag Password never expires = true
$passwordneverexpires_arr = search-adaccount -PasswordNeverExpires -SearchBase $ou | % {$_.DistinguishedName}
#list all user object in the ou $ou
$all_arr = get-aduser -filter * -SearchBase $ou | % {$_.DistinguishedName}

$all_arr | % {
	#compare both array and print result
	if ($passwordneverexpires_arr -match $_) { write-host -foreground green "password never expires true for $_ "} 
	else {write-host -foreground red "password never expires false for $_"}
}

The powershell cmdlet search-adaccount is very useful. It can used also to perform these tasks :

• List enabled and disabled Active Directory computer objects
• Find all locked out user account

You can find more information with this powershell cmdlet here.

For the get-aduser cmdlet, you can go here.

---

My Powershell script categories

• Active Directory
• Cluster
• Database
• Exchange
• Files and folders
• Hardware
• Network
• Operating System
• PKI
• SCCM
• Service and process
• Tips
• VMWare